Function Description

The cors plugin can enable CORS (Cross-Origin Resource Sharing) HTTP response headers for the server.

Execution Attributes

Plugin execution phase: Authorization Phase
Plugin execution priority: 340

Configuration Fields

NameData TypeRequiredDefault ValueDescription
allow_originsarray of stringOptionalAllowed Origins for cross-origin access, formatted as scheme://host:port , for example, http://example.com:8081. When allow_credentials is false, can be used to allow all Origins through.
allow_origin_patternsarray of stringOptional-Patterns for matching allowed Origins for cross-origin access, using to match domain or port,
for example http://.example.com — matches domain, http://.example.com:[8080,9090] — matches domain and specified ports, http://.example.com:[] — matches domain and all ports. A single indicates matching all domains and ports.
allow_methodsarray of stringOptionalGET, PUT, POST, DELETE, PATCH, OPTIONSAllowed Methods for cross-origin access, for example: GET, POST, etc. can be used to indicate all Methods are allowed.
allow_headersarray of stringOptionalDNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,
If-Modified-Since,Cache-Control,Content-Type,Authorization		Allowed Headers for the requester to carry that are not part of CORS specifications during cross-origin access. can be used to indicate any Header is allowed.
expose_headersarray of stringOptional-Allowed Headers for the responder to carry that are not part of CORS specifications during cross-origin access. can be used to indicate any Header is allowed.
allow_credentialsboolOptionalfalseWhether to allow the requester to carry credentials (e.g. Cookies) during cross-origin access. According to CORS specifications, if this option is set to true, cannot be used for allow_origins, replace it with allow_origin_patterns.
max_agenumberOptional86400 secondsMaximum time for browsers to cache CORS results, in seconds.
Within this time frame, browsers will reuse the previous inspection results.

Note

  • allow_credentials is a very sensitive option, please enable it with caution. Once enabled, allow_credentials and allow_origins cannot both be , if both are set, the allow_origins value of ““ takes effect.
  • allow_origins and allow_origin_patterns can be set simultaneously. First, check if allow_origins matches, then check if allow_origin_patterns matches.
  • Illegal CORS requests will return HTTP status code 403, with the response body content as “Invalid CORS request”.

Configuration Examples

Allow all cross-origin access, without allowing the requester to carry credentials

  1. allow_origins:
  2.   - 
  3. allow_methods:
  4.   - 
  5. allow_headers:
  6.   - 
  7. expose_headers:
  8.   - 
  9. allow_credentials: false
  10. max_age: 7200

Allow all cross-origin access, while allowing the requester to carry credentials

  1. allow_origin_patterns:
  2.   - 
  3. allow_methods:
  4.   - 
  5. allow_headers:
  6.   - 
  7. expose_headers:
  8.   - 
  9. allow_credentials: true
  10. max_age: 7200

Allow specific subdomains, specific methods, and specific request headers for cross-origin access, while allowing the requester to carry credentials

  1. allow_origin_patterns:
  4. allow_methods:
  5.   - GET
  6.   - PUT
  7.   - POST
  8.   - DELETE
  9. allow_headers:
  10.   - Token
  11.   - Content-Type
  12.   - Authorization
  13. expose_headers:
  14.   - ‘*’
  15. allow_credentials: true
  16. max_age: 7200

Testing

Test Configuration

  1. apiVersion: networking.higress.io/v1
  2. kind: McpBridge
  3. metadata:
  4.   name: mcp-cors-httpbin
  5.   namespace: higress-system
  6. spec:
  7.   registries:
  8.     - domain: httpbin.org
  9.       name: httpbin
  10.       port: 80
  11.       type: dns
  12. —-
  13. apiVersion: networking.k8s.io/v1
  14. kind: Ingress
  15. metadata:
  16.   annotations:
  17.     higress.io/destination: httpbin.dns
  18.     higress.io/upstream-vhost: httpbin.org
  19.     higress.io/backend-protocol: HTTP
  20.   name: ingress-cors-httpbin
  21.   namespace: higress-system
  22. spec:
  23.   ingressClassName: higress
  24.   rules:
  25.     - host: httpbin.example.com
  26.       http:
  27.         paths:
  28.           - backend:
  29.               resource:
  30.                 apiGroup: networking.higress.io
  31.                 kind: McpBridge
  32.                 name: mcp-cors-httpbin
  33.             path: /
  34.             pathType: Prefix
  35. —-
  36. apiVersion: extensions.higress.io/v1alpha1
  37. kind: WasmPlugin
  38. metadata:
  39.   name: wasm-cors-httpbin
  40.   namespace: higress-system
  41. spec:
  42.   defaultConfigDisable: true
  43.   matchRules:
  44.     - config:
  45.         allow_origins:
  47.         allow_origin_patterns:
  50.         allow_methods:
  51.           - GET
  52.           - POST
  53.           - PATCH
  54.         allow_headers:
  55.           - Content-Type
  56.           - Token
  57.           - Authorization
  58.         expose_headers:
  59.           - X-Custom-Header
  60.           - X-Env-UTM
  61.         allow_credentials: true
  62.         max_age: 3600
  63.       configDisable: false
  64.       ingress:
  65.         - ingress-cors-httpbin
  66.   url: oci://higress-registry.cn-hangzhou.cr.aliyuncs.com/plugins/cors:1.0.0
  67.   imagePullPolicy: Always

Request Testing

Simple Request

  1. curl -v -H Origin: http://httpbin2.example.org:9090“ -H “Host: httpbin.example.com” http://127.0.0.1/anything/get\?foo\=1
  2. < HTTP/1.1 200 OK
  3. > x-cors-version: 1.0.0
  4. > access-control-allow-origin: http://httpbin2.example.org:9090
  5. > access-control-expose-headers: X-Custom-Header,X-Env-UTM
  6. > access-control-allow-credentials: true

Preflight Request

  1. curl -v -X OPTIONS -H Origin: http://httpbin2.example.org:9090“ -H “Host: httpbin.example.com” -H “Access-Control-Request-Method: POST” -H “Access-Control-Request-Headers: Content-Type, Token” http://127.0.0.1/anything/get\?foo\=1
  2. < HTTP/1.1 200 OK
  3. < x-cors-version: 1.0.0
  4. < access-control-allow-origin: http://httpbin2.example.org:9090
  5. < access-control-allow-methods: GET,POST,PATCH
  6. < access-control-allow-headers: Content-Type,Token,Authorization
  7. < access-control-expose-headers: X-Custom-Header,X-Env-UTM
  8. < access-control-allow-credentials: true
  9. < access-control-max-age: 3600
  10. < date: Tue, 23 May 2023 11:41:28 GMT
  11. < server: istio-envoy
  12. < content-length: 0
  13. <
  14.  Connection #0 to host 127.0.0.1 left intact
  15.  Closing connection 0

Illegal CORS Origin Preflight Request

  1. curl -v -X OPTIONS -H Origin: http://httpbin2.example.org“ -H “Host: httpbin.example.com” -H “Access-Control-Request-Method: GET” http://127.0.0.1/anything/get\?foo\=1
  2.  HTTP/1.1 403 Forbidden
  3. < content-length: 70
  4. < content-type: text/plain
  5. < x-cors-version: 1.0.0
  6. < date: Tue, 23 May 2023 11:27:01 GMT
  7. < server: istio-envoy
  8. <
  9. * Connection #0 to host 127.0.0.1 left intact
  10. Invalid CORS request

Illegal CORS Method Preflight Request

  1. curl -v -X OPTIONS -H Origin: http://httpbin2.example.org:9090“ -H “Host: httpbin.example.com” -H “Access-Control-Request-Method: DELETE” http://127.0.0.1/anything/get\?foo\=1
  2. < HTTP/1.1 403 Forbidden
  3. < content-length: 49
  4. < content-type: text/plain
  5. < x-cors-version: 1.0.0
  6. < date: Tue, 23 May 2023 11:28:51 GMT
  7. < server: istio-envoy
  8. <
  9. * Connection #0 to host 127.0.0.1 left intact
  10. Invalid CORS request

Illegal CORS Header Preflight Request

  1. curl -v -X OPTIONS -H Origin: http://httpbin2.example.org:9090“ -H “Host: httpbin.example.com” -H “Access-Control-Request-Method: GET” -H “Access-Control-Request-Headers: TokenView” http://127.0.0.1/anything/get\?foo\=1
  2. < HTTP/1.1 403 Forbidden
  3. < content-length: 52
  4. < content-type: text/plain
  5. < x-cors-version: 1.0.0
  6. < date: Tue, 23 May 2023 11:31:03 GMT
  7. < server: istio-envoy
  8. <
  9. * Connection #0 to host 127.0.0.1 left intact
  10. Invalid CORS request

Reference Documents